xloader | 0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f

General

Target

0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
Size

1.0MB
MD5

dc73ad541f075ce3a9fb2a13fb6a4a79
SHA1

690984b552efad0d34c229200c8668f6c5baf8dc
SHA256

0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f
SHA512

9f8524ba33ed35f4eee0292e8b1dede6e305c3787e3e7c43e32b1d9b1f9ccf92209d3a01aec04cbeb94d02e6314be1ca47285738ac5d60e23d81607f32e2f138

Score

10^/10

xloader nt3f loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3180-129-0x0000000000400000-0x0000000000429000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe

description	pid	process	target process
PID 2588 set thread context of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1100 schtasks.exe

pid	process
1100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exepowershell.exe

pid	process
3180	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
3180	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 400 powershell.exe

description	pid	process
Token: SeDebugPrivilege	400	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe

description	pid	process	target process
PID 2588 wrote to memory of 400	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	powershell.exe
PID 2588 wrote to memory of 400	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	powershell.exe
PID 2588 wrote to memory of 400	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	powershell.exe
PID 2588 wrote to memory of 1100	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	schtasks.exe
PID 2588 wrote to memory of 1100	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	schtasks.exe
PID 2588 wrote to memory of 1100	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	schtasks.exe
PID 2588 wrote to memory of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
PID 2588 wrote to memory of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
PID 2588 wrote to memory of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
PID 2588 wrote to memory of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
PID 2588 wrote to memory of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
PID 2588 wrote to memory of 3180	2588	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe	0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe

C:\Users\Admin\AppData\Local\Temp\0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
"C:\Users\Admin\AppData\Local\Temp\0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UYkfikifLD.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UYkfikifLD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED69.tmp"
2⤵
- Creates scheduled task(s)
PID:1100

C:\Users\Admin\AppData\Local\Temp\0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe
"C:\Users\Admin\AppData\Local\Temp\0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpED69.tmp
MD5
4ee1b963be4445ac518b4eed49d7cc37

SHA1
4e6e77f2bd20744c53ac077bd6a9d1757315d99d

SHA256
59d36ebb53dbef3b6a98269adb4a94e04fe488f6da4a45611603f67a494d4945

SHA512
c592161cf4069d7d0a2484874d1e9695d097112d528858c4e612c74e6142da5be3d1e4334a0c52c1e8c15aae55d79dfe50aa54c7940b0b4e0a42283172a04c67

Download Submit
memory/400-127-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/400-136-0x0000000006E20000-0x0000000006E3C000-memory.dmp

Filesize
112KB

Download
memory/400-354-0x0000000008DB0000-0x0000000008DB8000-memory.dmp

Filesize
32KB

Download
memory/400-155-0x0000000000D03000-0x0000000000D04000-memory.dmp

Filesize
4KB

Download
memory/400-154-0x000000007E7B0000-0x000000007E7B1000-memory.dmp

Filesize
4KB

Download
memory/400-153-0x0000000008F00000-0x0000000008FA5000-memory.dmp

Filesize
660KB

Download
memory/400-148-0x0000000008AB0000-0x0000000008ACE000-memory.dmp

Filesize
120KB

Download
memory/400-125-0x0000000000D10000-0x0000000000D46000-memory.dmp

Filesize
216KB

Download
memory/400-156-0x00000000090A0000-0x0000000009134000-memory.dmp

Filesize
592KB

Download
memory/400-349-0x0000000008FB0000-0x0000000008FCA000-memory.dmp

Filesize
104KB

Download
memory/400-147-0x0000000008DD0000-0x0000000008E03000-memory.dmp

Filesize
204KB

Download
memory/400-128-0x0000000000D02000-0x0000000000D03000-memory.dmp

Filesize
4KB

Download
memory/400-130-0x0000000006E50000-0x0000000007478000-memory.dmp

Filesize
6.2MB

Download
memory/400-138-0x0000000007CD0000-0x0000000007D46000-memory.dmp

Filesize
472KB

Download
memory/400-132-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

Filesize
136KB

Download
memory/400-133-0x0000000006C40000-0x0000000006CA6000-memory.dmp

Filesize
408KB

Download
memory/400-134-0x00000000074F0000-0x0000000007556000-memory.dmp

Filesize
408KB

Download
memory/400-135-0x00000000075D0000-0x0000000007920000-memory.dmp

Filesize
3.3MB

Download
memory/400-137-0x0000000007480000-0x00000000074CB000-memory.dmp

Filesize
300KB

Download
memory/2588-122-0x0000000007EF0000-0x0000000007FB0000-memory.dmp

Filesize
768KB

Download
memory/2588-115-0x0000000000970000-0x0000000000A7E000-memory.dmp

Filesize
1.1MB

Download
memory/2588-121-0x0000000007C50000-0x0000000007CEC000-memory.dmp

Filesize
624KB

Download
memory/2588-120-0x0000000005660000-0x0000000005674000-memory.dmp

Filesize
80KB

Download
memory/2588-119-0x0000000002FB0000-0x0000000002FBA000-memory.dmp

Filesize
40KB

Download
memory/2588-118-0x0000000005420000-0x000000000591E000-memory.dmp

Filesize
5.0MB

Download
memory/2588-117-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/2588-116-0x0000000005920000-0x0000000005E1E000-memory.dmp

Filesize
5.0MB

Download
memory/3180-131-0x0000000000F90000-0x00000000012B0000-memory.dmp

Filesize
3.1MB

Download
memory/3180-129-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads